How to protect ColdFusion CFM templates from Cross Site Scripting attacks?

Discuss How to protect ColdFusion CFM templates from Cross Site Scripting attacks? in the ColdFusion forum on Tutorialized. How to protect ColdFusion CFM templates from Cross Site Scripting attacks? ColdFusion forum covering the popular web development platform. Designed originally to support database access, this tag-based programming language has grown into a robust platform that makes it a good choice for web development.

How to protect ColdFusion CFM templates from Cross Site Scripting attacks?

Hi all,
I am sharing a tip with you all.Hope it is useful.Any suggestions are welcomed.
Perhaps the easiest attack that is possible on a web page is Cross Site Scripting attack. Attackers can easily "view source" the web page and save it on local box. They can easily manipulate the page content, change the POST ACTION link and can easily penetrate into your CFM templates.
However, restricting Cross Site Scripting attacks while working with ColdFusion is not so difficult. Add the following lines of code to your ColdFusion files to ward off these attacks.

<cfif NOT len(CGI.HTTP_REFERER) OR NOT FindNoCase(CGI.HTTP_HOST, CGI.HTTP_REFERER)>
<cfoutput>An external host trying to communicate with the CFM template.</cfoutput>

<cfabort>

</cfif>

Do NOTE that we have used two ColdFusion CGI variables here -

CGI.HTTP_REFERER: Full URL of the template which posts the data to another template

CGI.HTTP_HOST: Host server where the HTTP_REFERER posts data into.

This piece of code simply checks for any mismatch between HTTP_REFERER and HTTP_HOST, and if there is any then aborts.

Best Practice: We can have this piece of code in one CFM template and CFINCLUDE that in all CFM templates for a project to prevent Cross Site Scripting attack.